- SocGholish, while relatively easy to detect, is difficult to stop.
- Careful campaign management makes analysis difficult for incident responders.
- Proofpoint attributes SocGholish activity to the threat actor TA569.
SocGholish is a malware variant which continues to thrive in the current information security landscape. By utilizing an extensive variety of stages, eligibility checks, and obfuscation routines, it remains one of the most elusive malware families to date. SocGholish was observed in the wild as early as 2018. The absence of details surrounding target selection, evasion logic, and specific procedures employed by TA569 and their use of SocGholish in the intermediary phases of infection contributes to this shroud of mystery.
If the victim’s browser meets the eligibility requirements for infection (using a Windows host, originating from an external source, and specific cookie checks), the user will be presented with the download for a file masquerading as a browser update. By loading this update prompt from the intended domain, it bolsters the purported authenticity of the update.
Figure 1: SocGholish Overview
Figure 2: Fake Update Served
Initial Lure – Phishing OR Traffic Funneling?
While the tactics of most phishing campaigns are similar across the spectrum of malware, SocGholish deviates from norms by taking a pass on all traditional hallmarks of phishing campaigns.
- No observed call to action
- No observed sense of urgency
- No threats or promises of rewards
- No blatant trickery or misdirection
Instead, Threat Research has observed SocGholish being leveraged in email campaigns with injections on sites that meet one of two criteria:
- Extensive marketing and legitimate email advertising campaigns.
- Strong SEO (Search Engine Optimization) and page rank causing aggregation and dissemination by Google Alerts and other similar services.
It is worth noting though that the vast majority of SocGholish injects are not visible in email campaigns. At the date of publication, Threat Research is tracking over 1000 active implants while only observing a small fraction of those within our own data. According to a two-week sample of SocGholish infection traffic, Proofpoint identified nearly 300 infected websites targeting users in multiple countries, including Poland, Italy, France, Iran, Spain, Germany, the United Kingdom, and the United States, among others.
This begs the question, “Are there multiple types of campaigns with distinct tactics and targeting?”
Figure 3: SocGholish delivered via Google Alert
Putting it All Together
Proofpoint assesses with high confidence TA569 is a financially motivated threat actor who almost certainly monetizes access gained through the exclusive use and sale of SocGholish infections. Through our investigation and collaboration with partners, Proofpoint has identified that malware deployed after SocGholish will vary based upon the profile of the infected victim’s machine. If the target is domain joined, ransomware, including but not limited to WastedLocker, Hive, and LockBit, is commonly deployed according to a variety of incident response journals. If the victim is not domain joined, a remote access trojan (RAT) will be deployed. Proofpoint assesses with moderate confidence that the deployment of a RAT is an attempt to harvest credentials to secure a foothold on a network suitable for ransomware deployment, such as the target’s employer. Regardless of the victim’s profile, TA569 is extremely aggressive in deploying follow-on malware leading to a remarkably low dwell time.
The follow-on ransomware activity referenced in this report overlaps with activity publicly reported as EvilCorp, Gold Drake, and UNC2165. As TA569 focuses on initial access into target environments, Proofpoint does not suggest equivalence in attribution between TA569 and actors conducting post-infection activity.
Figure 4: SocGholish as part of a kill chain
Users should be aware of novel social engineering and exploitation mechanisms used by TA569 to deliver malicious payloads, even from trusted sources. This attack chain underscores the importance of consistent, clear communication from organizations concerning user awareness training and software update best practices. SocGholish remains a serious threat to enterprises due to it being delivered through legitimate means and the speed at which the attack progresses from initial access to ransomware. Defenders must be diligent in evaluating alerts and must not be quick to dismiss them as false positives.
For more on this topic, register to attend our webinar, Threat Research Flash Brief: SocGholish Poisons Supply Chain for Major Media Websites, on Tuesday, November 22, 2022, at 10 AM PT, or watch it on demand.
In our next report on TA569, we’ll dive deep into the injections, payloads, and changes in activity observed in 2022 from this threat actor. Stay tuned!